UIS.203.2 Configuration Change Control Guidelines
In support of UIS.203 Configuration Management Policy
Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.
Configuration change control includes, but is not limited to:
- changes to baseline configurations for components and configuration items of information systems
- changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices)
- unscheduled/unauthorized changes
- changes to remediate vulnerabilities
Configuration Change Control Requirements
The UIS system change control process incorporates the following:
- Enforcement of formal change control procedures. Requesting approvals and managing changes to the systems are described in UIS Change Approval and Management Procedures. This effort should include the following processes, controls, and best practices:
Proper authorization and approvals at all levels
Documenting configuration change decisions associated with the information system
Restricting changes to the information system until approvals are received
Limiting access to only those parts of the system necessary for the approved change
Definitions of job responsibilities/restrictions and establishing authority levels for the following:
Change Manager, and other IT staff
Successful testing of updates and new programs prior to their being moved into a production environment.
Test, validate, and document changes to the information system before implementing the changes on the system
Determine the types of changes to the information system that are configuration controlled
Safeguard production systems during modification, including emergency changes
- Implementation of approved configuration-controlled changes to the information system
- Retention of configuration change logs for the information system over the life of the system
Version control for each application
Tying program documentation updates to source code updates
Standard software load for workstations, servers, network components, and mobile devices and laptops
Audit and review activities associated with configuration-controlled changes to the information system
Audit logs that track all accesses to the system, copying and use of source code, and updates posted to libraries
Rollback procedures designed to recover to previous stable version of programs
Coordination and oversight for configuration change control activities through a Configuration Change Control Board that convenes when configuration changes occur
Management of security vulnerabilities so that they are prioritized, evaluated, tested, documented, approved, and applied promptly to minimize the exposure of unpatched resources. Vulnerability Management requirements are addressed in the Vulnerability Management Guideline.
Role-based training for business and technical users covering new features and security controls introduced by the upgrade.